Facebook, Google and Oracle cloud are secretly tracking the porn you watch, according to a new joint study from Microsoft, Carnegie Mellon, and the University of Pennsylvania.

Researchers investigated 22,484 sex sites using a handy tool called webXray, which exposes tracking tools funneling data back to third parties.

“Our results indicate tracking is endemic on pornography websites: 93% of pages leak user data to a third-party,” the study finds. “Revelations about such data represent specific threats to personal safety and autonomy in any society that polices gender and sexuality.”

Researchers discovered that Google and its various outlets had trackers on 74% of the web’s top online orgasm destinations, Oracle had 24% and Facebook 10%, study authors report.

And if you think you’re being slick by toggling into “incognito” mode, think again. Even when self-pleasure sessions aren’t stored in your browser history, the data still gets fed to these third parties.

Study co-authors Elena Maris of Microsoft, Timothy Libert of Carnegie Mellon and Jennifer Henrichsen of U-Penn use a hypothetical porn peeper named “Jack” to illustrate how these tracking cookies work.

“The sites Jack visits, as well as any third-parties trackers, may observe and record his online action,” the study reads. “These third-parties may even infer Jack’s sexual interests from the URLs of the sites he visits. They might also use what they have decided about these interests for marketing or building a consumer profile.”

Yes, this means “they may even sell the data.”

“The fact that the mechanism for adult site tracking is so similar to, say, online retail should be a huge red flag,” study co-author Maris tells the New York Times.

Even worse: Maris and her co-researchers discovered that only 17% of the porn sites were encrypted. This leaves lots of opportunities for what study authors refer to as “widespread data leakage” and hacker “sextortion.”